Workbench is a more efficient and convenient connection tool than Virtual Network Computing (VNC) and allows multiple users to connect to a single Elastic Compute Service (ECS) instance at the same time. Workbench supports the following authentication methods for logons to instances: password-based authentication, key-based authentication, and credential-based authentication.

Prerequisites

  • A logon password is set for or a key pair is bound to the Linux instance to which you want to connect.
  • The instance is in the Running state.
  • Security group rules are added to allow the IP addresses related to the Workbench service to access the instance. For more information about the security group rules, see the Add security group rules to allow Workbench access to a Linux instance section in this topic.

Background information

  • By default, a Workbench remote session persists for 6 hours. If you go 6 hours without performing operations, the remote connection is disconnected. You must reconnect to the instance.
  • Workbench can be used to connect to ECS instances over one of the following protocols:
    • SSH: By default, Linux instances are connected by using SSH. SSH can also be used to connect to Windows instances on which a GNU-like system such as Cygwin is installed. For information about how to connect to a Linux instance over SSH, see the Connect to a Linux instance over SSH section in this topic.
    • Remote Desktop Protocol (RDP): By default, Windows instances are connected by using RDP. RDP can also be used to connect to Linux instances on which remote desktop services are enabled. For information about how to connect to a Linux instance over RDP, see the Connect to a Linux instance over RDP section in this topic.
      Note If you want to connect to an instance over RDP, make sure that the public bandwidth is at least 5 Mbit/s. If the public bandwidth is less than 5 Mbit/s, the remote desktop freezes.
  • You can use the GUI provided by Workbench to manage files and system services in your Linux instances in a visual manner. For more information, see Use Workbench to manage files in a Linux instance.

Connect to a Linux instance over SSH

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection section.
  6. In the Instance Login dialog box, specify parameters. You can select Fewer Options or More Options in the lower part of the dialog box to switch to simple or advanced mode.
    Typically, only the parameters displayed when the dialog box is in simple mode are required. The following table describes the parameters.
    Parameter Description
    Instance The information of the current instance is automatically populated. You can also manually enter the IP address or name of another instance.
    Connection
    • To connect to an instance that resides in a virtual private cloud (VPC), you can use the public or private IP address of the instance.
    • To connect to an instance that resides in the classic network, you can use the public or internal IP address of the instance.
    Authentication Select an authentication method. Valid values:
    • Password-based: Enter a user name (example: root) and its password.
    • Certificate-based: Enter a user name (example: root) and then enter or upload a certificate. If the certificate is encrypted, enter its key passphrase.
    • Credential-based: Select an existing credential or create a credential.

      You can use credentials to store instance information such as usernames, passwords, and keys so that you do not need to enter this information each time you log on to instances. When you connect to an instance by using Workbench, you can select a credential to securely log on to the instance. If no credentials are present for an instance in Workbench, create a credential for the instance. For information about how to create a credential, see Create a credential in Workbench.

    In the lower part of the dialog box, click More Options to switch to advanced mode to show more parameters. The following table describes the parameters displayed only when the dialog box is in advanced mode.
    Parameter Description
    Resource Group By default, All is selected. You can manually select a resource group from the drop-down list.
    Region By default, All is selected. You can manually select a region from the drop-down list.
    Protocol By default, Terminal Connection (SSH) is selected.
    Port When Protocol is set to Terminal Connection (SSH), this parameter is automatically set to 22.
    Language Select your preferred language. The selected language affects command outputs on the instance. We recommend that you select Default for Workbench to detect the language settings of the instance and to make configurations accordingly.
    Character Set Select your preferred character set. The selected character set affects command outputs on the instance. We recommend that you select Default for Workbench to detect the character set settings of the instance and to make configurations accordingly.
  7. Click OK.
If all of the prerequisites are met but the instance cannot be connected, perform the following checks on the instance:
  • Check whether the sshd service (such as sshd in Linux) is enabled. If not, enable the sshd service.
  • Check whether the required terminal connection port (typically port 22) is enabled. If not, enable the port.
  • If you want to log on to the Linux instance as the root user, make sure that both the PermitRootLogin and PasswordAuthentication parameters are set to yes in the /etc/ssh/sshd_config file. For more information, see the Enable root logon over SSH on a Linux instance section in this topic.

Connect to a Linux instance over RDP

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection section.
  6. In the Instance Login dialog box, specify parameters.
    1. In the lower part of the dialog box, click More Options.
    2. Set Protocol to Remote Desktop (RDP).
    3. In the Mismatch Between OS and Protocol message, click OK.
    4. Specify the parameters described in the following table.
      Parameter Description
      Resource Group By default, All is selected. You can manually select a resource group from the drop-down list.
      Region By default, All is selected. You can manually select a region from the drop-down list.
      Instance The information of the current instance is automatically populated. You can also manually enter the IP address or name of another instance.
      Connection
      • To connect to an instance that reside in a VPC, you can use the public or private IP address of the instance.
      • To connect to an instance that resides in the classic network, you can use the public or internal IP address of the instance.
      Port When Protocol is set to Remote Desktop (RDP), this parameter is automatically set to 3389.
      Authentication Select an authentication method. Valid values:
      • Password-based: Enter a user name (example: Administrator) and its password.
      • Credential-based: Select an existing credential or create a credential.

        You can use credentials to store instance information such as usernames, passwords, and keys so that you do not need to enter this information each time you log on to instances. When you connect to an instance by using Workbench, you can select a credential to securely log on to the instance. For more information about credentials, see Create a credential in Workbench.

  7. Click OK.
If all of the prerequisites are met but the instance cannot be connected, perform the following checks on the instance:
  • Check whether a remote desktop service (such as xfreerdp installed on Linux) is enabled. If not, enable a remote desktop service.
  • Check whether the required remote desktop port (typically port 3389) is enabled. If not, enable the port.
  • If you want to log on to the Linux instance as the root user, make sure that both the PermitRootLogin and PasswordAuthentication parameters are set to yes in the /etc/ssh/sshd_config file. For more information, see the Enable root logon over SSH on a Linux instance section in this topic.

Create a credential in Workbench

This section describes how to create a credential for an instance in Workbench. After the credential is created, you can use it for authentication when you log on to the instance.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection section.
  6. In the Instance Login dialog box, specify parameters to log on to the instance.
    • If no credentials are present for the instance in Workbench, perform the following steps:
      1. Specify the parameters described in the following table.
        Parameter Description
        Instance The information of the current instance is automatically populated. You can also select another instance from the drop-down list.
        Connection
        • To connect to an instance that reside in a VPC, you can use the public or private IP address of the instance.
        • To connect to an instance that resides in the classic network, you can use the public or internal IP address of the instance.
        Authentication
        1. Select Credential-based.
        2. Select Create Credential from the Credential drop-down list.
      2. In the Add Credential dialog box, specify parameters described in the following table.
        Parameter Description
        Credential Name Enter a name for the credential.
        Username Enter a username. Example: root.
        Credential Type Select a credential type. Valid values:
        • Password: If you select this value, you must continue to enter a password for the authentication material.
        • PrivateKey: If you select this value, you must continue to enter or upload a private key certificate. If the certificate is encrypted, enter its key passphrase.
        Material Name Enter a name for the authentication material.
        Password Enter a password to use for authentication.
        Fingerprint Fingerprint is automatically generated based on the password or key of the authentication material.
      3. Optional:You can click Add Material to add more authentication materials. At least one authentication material must be retained for each credential.
      4. Click OK.
      5. In the Instance Login dialog box, select the credential that you created from the PAM Credential drop-down list and click OK.
    • If credentials are present for the instance in Workbench, perform the following steps:
      1. Specify the parameters described in the following table.
        Parameter Description
        Instance The information of the current instance is automatically populated. You can also select another instance from the drop-down list.
        Connection
        • To connect to an instance that reside in a VPC, you can use the public or private IP address of the instance.
        • To connect to an instance that resides in the classic network, you can use the public or internal IP address of the instance.
        Authentication Select an existing credential.

        You can modify or delete credentials based on your needs.

      2. Click OK.

Enable root logon over SSH on a Linux instance

In some Linux operating systems, sshd disables root logon by default. If this occurs, when you attempt to connect to an instance as the root user over SSH, you are prompted that your username or password is invalid. To enable root logon over SSH, perform the following operations.

  1. Use VNC to connect to a Linux instance with a password. For more information, see Connect to a Linux instance by using password authentication.
  2. Open the SSH configuration file.
    vi /etc/ssh/sshd_config
  3. Configure the following parameters:
    • PermitRootLogin: Change the value from no to yes
    • PasswordAuthentication: Change the value from no to yes.
  4. Press the Esc key and enter :wq to save the change.
  5. Restart sshd.
    service sshd restart

Add security group rules to allow Workbench access to a Linux instance

This section describes how to add rules to security groups of different network types in the ECS console to allow Workbench access to a Linux instance.
  • If you want to connect to a Linux instance that resides in a VPC, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters to be configured for the rule.
    NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object
    N/A Inbound Allow
    • If port 22 is enabled by default on the Linux instance, select SSH (22).
    • If you have manually enabled other ports on the Linux instance, select Custom TCP.
    • If port 22 is enabled by default on the Linux instance, 22/22 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Linux instance, enter a corresponding port range.
    1 IPv4 CIDR Block
    • If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an elastic IP address (EIP) that is associated with the instance.
    • If you want to connect to the instance by using its private IP address, specify 100.104.0.0/16.
    Note You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes your instance to security risks. Proceed with caution.
  • If you want to connect to a Linux instance that resides in the classic network over the Internet, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters to be configured for the rule.
    NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object
    Public Inbound Allow
    • If port 22 is enabled by default on the Linux instance, select SSH (22).
    • If you have manually enabled other ports on the Linux instance, select Custom TCP.
    • If port 22 is enabled by default on the Linux instance, 22/22 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Linux instance, enter a corresponding port range.
    1 IPv4 CIDR Block If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an EIP that is associated with the instance.
    Note You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes your instance to security risks. Proceed with caution.
  • If you want to connect to a Linux instance that resides in the classic network over the internal network, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internal Network Ingress tab. The following table describes the parameters to be configured for the rule.
    NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object
    N/A Inbound Allow
    • If port 22 is enabled by default on the Linux instance, select SSH (22).
    • If you have manually enabled other ports on the Linux instance, select Custom TCP.
    • If port 22 is enabled by default on the Linux instance, 22/22 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Linux instance, enter a corresponding port range.
    1 IPv4 CIDR Block If you want to connect to the instance by using its internal IP address, specify 161.117.90.22.
    Notice High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.